Servers are able to validate the identity of the client using Client Identity Certificates. Avaya Client SDK Communications Package support builds on concepts outlined in Working with Certificates.
Client Certificates are supported with the following providers:
The Client SDK does not provide validation of Client Certificates, and server validation responses are provided to your application.
The following code snippet demonstrates how to pass the Certificate Chain to the Client SDK by using CSCertificateManager.
// Retrieve the client certificate chain from the key store or a keychain
// for the given alias.
NSArray *certChain = [keyChain getCertificateChainWithContext: mContext alias: alias];
// Retrive an identity
SecIdentityRef identity = [keyChain getSecIdentityWithContext: mContext alias: alias];
// Set both client certificate chain and the identity.
// Returns NO in case of errors.
NSError *error = nil;
if ([client.certificateManager setClientIdentity: identity
withCertificateChain: certChain
error: &error])
{
// Client certificate has been successfully provisioned.
}
Use methods of the CSCertificateManager to obtain Certificate Chain and RSA private key used by the Client SDK.
// Retrieve a complete client certificate chain.
NSArray *certChain =
(NSArray *)client.certificateManager.clientIdentityCertificateChain;
// Retrieve the identity.
SecIdentityRef identity = client.certificateManager.clientIdentity;
You can register your application to receive expiration notifications (<CSCertificateManagerClientIdentityDelegate>).
Optionally use the CSSecurityPolicyConfiguration object to specify the percentage value (of client identity certificate's age) after which the certificate status notifications are issued.
// Create and initialise the Security Policy Configuration
// to use the Private Trust Store.
CSSecurityPolicyConfiguration *securityPolicyConfig = [CSSecurityPolicyConfiguration new];
securityPolicyConfig.certificateRenewalValue = 90;
// A delegate class implementing CSCertificateManagerClientIdentityDelegate protocol.
AppClientIdentityHandler *clientIdentityHandler = [[AppClientIdentityHandler alloc] init];
// Set the delegate
client.certificateManager.clientIdentityDelegate = clientIdentityHandler;
// The expiration notification will be notified via
// certificateManager:clientIdentityWillExpireInDays: callback.
The Client SDK will notify your application when the identity certificate approaches expiration.
@interface AppClientIdentityHandler()
...
@end
@implementation AppClientIdentityHandler
- (void) certificateManager: (CSCertificateManager *)certManager
clientIdentityWillExpireInDays: (NSInteger)daysToExpire
{
// Add your code here.
// Use the number of days field to provide warning to your user.
}
...
@end
// Remove the client identity delegate
client.certificateManager.clientIdentityDelegate = nil;
// Delete the client identity.
NSError *error = nil;
if ([client.certificateManager deleteClientIdentityWithError: &error])
{
// Client identity certificate was deleted
}
The Client SDK support SCEP to retrieve Identity Certificates. Create the CSSCEPConfiguration object and pass it to the enrollWithConfiguration:enrollmentCredentialProvider:completionHandler: method of the CSCertificateManager object.
CSSCEPConfiguration *scepConfiguration =
// Populate scepConfiguration details.
EnrollmentCredentialProvider *enrollmentCredentialProvider =
[[EnrollmentCredentialProvider alloc]
initWithCommonName: scepConfiguration.certificateCommonName
andPassword: scepConfiguration.challengePassword];
[client.certificateManager enrollWithConfiguration: scepConfigData
enrollmentCredentialProvider: enrollmentCredential
completionHandler:
^(CFArrayRef identityCertChain, SecIdentityRef secIdentity, NSError *result)
{
// Enroll completion handler
}];